Comments for Can I recover my MSN Hotmail password rather than reset it?

Comment from Shahid on 2009-05-03

2009-05-03T15:46:03Z

Where i see my password of my hotmail account

As outlined in the article you just commented on: you cannot.

- Leo
04-May-2009

]]>

A comment on: Can I recover my MSN Hotmail password rather than reset it?

Tech Questions? Get Answers! - Ask Leo! ... by Leo Notenboom
Leo's Answers Newsletter - Ask Leo! in your inbox every week.

Comment from ammir@msn.com on 2009-01-25

2009-01-25T22:42:11Z

So if a site sends you a new password, and they have only an encrypted form, then your computer has to know what algorithm to use to duplicate the encryption. How does it find that out? Also, does your computer store the password or the encryption when you tell it to remember your password? If your computer stores the password, is there any way to access it?

]]>

A comment on: Can I recover my MSN Hotmail password rather than reset it?

Tech Questions? Get Answers! - Ask Leo! ... by Leo Notenboom
Leo's Answers Newsletter - Ask Leo! in your inbox every week.

Comment from Leo A. Notenboom on 2008-01-11

2008-01-11T17:49:19Z

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Well, it most certainly IS possible. Unfortunately I don't
have a clear metaphor against which to draw a comparison.
The concept of one-way hashes are nothing new, really, and
the foundation of modern cryptography. No, it's nowhere near
as simple as just adding something you could later subtract.
It's quite complex mathmatics.

(In fact the PGP signature below this message is another
example of hashes being used :-).

Thanks,

Leo

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (MingW32)

iD8DBQFHh6w7CMEe9B/8oqERApdzAJ41AfzyeCqU2mo7ZfQtA1D94wuz4wCffAbM
ARNHwGc/FieBU2XlORHtdqU=
=pwr6
-----END PGP SIGNATURE-----

]]>

A comment on: Can I recover my MSN Hotmail password rather than reset it?

Tech Questions? Get Answers! - Ask Leo! ... by Leo Notenboom
Leo's Answers Newsletter - Ask Leo! in your inbox every week.

Comment from Ronny on 2008-01-10

2008-01-11T00:03:38Z

I don't understand how it is possible for a computer to run a password through a formula to convert it to something else but not know how to reverse it; assuming, of course, that you know the original formula.

If I do something simple like adding 7 to each ASCII value, I just subtract 7 to reverse it. I know the conversion is more complex than that. That just makes the reversing more complex, not impossible. Right?

]]>

A comment on: Can I recover my MSN Hotmail password rather than reset it?

Tech Questions? Get Answers! - Ask Leo! ... by Leo Notenboom
Leo's Answers Newsletter - Ask Leo! in your inbox every week.

Comment from Ken B on 2008-01-10

2008-01-10T16:40:53Z

Chuck:
> your computer has to know what algorithm to use
> to duplicate the encryption

Your computer doesn't need to know anything about the site's encryption methods. Your computer sends the password itself to the other computer, and the other computer then encrypts your password to see if it matches the saved encrypted version.

(Hopefully, your computer and the other computer are using a secure means of communication, such as https rather than http.)

]]>

A comment on: Can I recover my MSN Hotmail password rather than reset it?

Tech Questions? Get Answers! - Ask Leo! ... by Leo Notenboom
Leo's Answers Newsletter - Ask Leo! in your inbox every week.

Comment from Simon on 2008-01-10

2008-01-10T12:53:46Z

>It means that in the example above there's no way given
>the "187483f86b7c516e35dc52aa30797f44e73ec734" to
>figure out that the password you used to create it was "Pass!werd".

Not quite true. There's no direct way, certainly; but with passwords below a certain length, there is an indirect way of going 'backward': rainbow tables.

These are basically a vast table of precomputed hash values for every possible password, from aaaaaaa upwards. The original computation of these hash tables is obviously ridiculously time intensive, but it only needs to be done once; after that, getting a password from a hash is just a matter of comparing the hash values until you get a match, which is a quite quick task. And, as you'd expect, rainbow tables for the most common hashes (MD5 etc.) are freely available on the internet (bittorrent etc.).

Obviously, though, as password length increases, the length of rainbow tables increases exponentially (Formula: no. of allowable characters ^ length). Rainbow tables for up to 7 character lowercase alphanumeric passwords are under a gigabyte, meaning the whole table can be stored in RAM on a modern computer; making finding a password a matter of seconds. Add in the 33 non-alphanumeric characters, though, and the size shoots up to 8 GB -- for 7 characters or under passwords. Adding in an eighth character, or allowing uppercase characters, makes the size shoot up to the hundreds or thousands of Gigabytes -- time-consuming, but definitely not impossible for someone who has stolen the database and can run the algorithm at their leisure.

A nine character non-alphanumeric password like "Pass!werd" is thus probably effectively immune from this effect, purely for reasons of time. But only today! Just as the amount of time it takes to use this technique increases exponentially with password length, so does the power of computer hardware with time increase exponentially -- Moore's law. Give it another half decade, and hardware will probably be powerful enough for a 9 character password to be viably cracked with rainbow tables.

The most common use of Rainbow tables is thus against Windows' LMHash; which versions of Windows prior to Vista used by default to hash login passwords. The thing about LMHash is that it splits passwords under 14 characters into two 7-character-long strings (and converted everything to lowercase); making it very easy to be crack using 7-character rainbow tables.

There are good defenses against rainbow tables. For the user, use long passwords (>8 characters), and avoid dictionary words (even a seven character rainbow table will probably have the hashes of all dictaionary words included; compared to the rest of the database the size they take up woud be minimal).

For the system administrator, there is a technique called 'salting' -- prepend a sequence of characters to every password, hash that, and store the sequence in plaintext; prepending it to every password that user tries to enter. E.g. User: AskLeo, Password: shortpwd, Randomly-generated-string: 64795138. The system would hash "64795138shortpwd", and store "AskLeo", "64795138", and the hash in its database. Any time AskLeo tries to log in, the system would add "64795138" on to the beginning of the password you enter, hash that, and see if that hash matches the stored one. If the string is long enough, even though the cracker knows the string they would have to make a new Rainbow table for each user (For AskLeo, 64795138aaaaaaa to 64795138zzzzzzz; for someone else, maybe 13576824aaaaaaa to 13576824zzzzzzz); which destroys the whole point of using rainbow tables.

]]>

A comment on: Can I recover my MSN Hotmail password rather than reset it?

Tech Questions? Get Answers! - Ask Leo! ... by Leo Notenboom
Leo's Answers Newsletter - Ask Leo! in your inbox every week.

Comment from Chuck Arnett on 2008-01-09

2008-01-09T22:16:37Z

]]>

A comment on: Can I recover my MSN Hotmail password rather than reset it?

Tech Questions? Get Answers! - Ask Leo! ... by Leo Notenboom
Leo's Answers Newsletter - Ask Leo! in your inbox every week.

Comment from Just J on 2008-01-09

2008-01-09T21:40:01Z

Message to Arben: You have clearly NOT read the article (or failed to understand it).

Nice example of password encryption though Leo!

]]>

A comment on: Can I recover my MSN Hotmail password rather than reset it?

Tech Questions? Get Answers! - Ask Leo! ... by Leo Notenboom
Leo's Answers Newsletter - Ask Leo! in your inbox every week.